Question No: 151

What is the default behavior of an access list on the Cisco ASA security appliance?

It will permit or deny traffic based on the access-list criteria.

It will permit or deny all traffic on a specified interface.

An access group must be configured before the access list will take effect for traffic control.

It will allow all traffic.

Answer: C

Question No: 152

Which addresses are considered quot;ambiguous addressesquot; and are put on the greylist by the Cisco ASA botnet traffic filter feature?

addresses that are unknown

addresses that are on the greylist identified by the dynamic database

addresses that are blacklisted by the dynamic database but also are identified by the static whitelist

addresses that are associated with multiple domain names, but not all of these domain names are on theblacklist

Answer: D

Question No: 153

An administrator is deploying port-security to restrict traffic from certain ports to specific MAC addresses. Which two considerations must an administrator take into account when using the switchport port-security macaddress sticky command? (Choose two.)

The configuration will be updated with MAC addresses from traffic seen ingressing the port.

The configuration will automatically be saved to NVRAM if no other changes to the configuration have been made.

The configuration will be updated with MAC addresses from traffic seen ingressing the port.The configuration will not automatically be saved to NVRAM.

Only MAC addresses with the 5th most significant bit of the address (the #39;sticky#39; bit) set to 1 will be learned.

If configured on a trunk port without the #39;vlan#39; keyword, it will apply to all vlans.

If configured on a trunk port without the #39;vlan#39; keyword, it will apply only to the native vlan.

Answer: B,E

Question No: 154

Which action is considered a best practice for the Cisco ASA firewall?

Question No: 157

A router is being enabled for SSH command line access. The following steps have been taken:

-The vty ports have been configured with transport input SSH and login local.

-Local user accounts have been created.

-The enable password has been configured.

What additional step must be taken if users receive a #39;connection refused#39; error when attempting to access the router via SSH?

A RSA keypair must be generated on the router

An access list permitting SSH inbound must be configured and applied to the vty ports

An access list permitting SSH outbound must be configured and applied to the vty ports

SSH v2.0 must be enabled on the router

Answer: A

Question No: 158

Which statement about SNMP support on the Cisco ASA appliance is true?

The Cisco ASA appliance supports only SNMPv1 or SNMPv2c.

The Cisco ASA appliance supports read-only and read-write access.

The Cisco ASA appliance supports three built-in SNMPv3 groups in Cisco ASDM: Authentication and Encryption, Authentication Only, and No Authentication, No Encryption.

The Cisco ASA appliance can send SNMP traps to the network management station only using SNMPv2.

Answer: C

Question No: 159

A network printer has a DHCP server service that cannot be disabled. How can a layer 2 switch be configured to prevent the printer from causing network issues?

Remove the ip helper-address

Configure a Port-ACL to block outbound TCP port 68

Configure DHCP snooping

Configure port-security

Answer: C

Question No: 160

Refer to the exhibit.

Which statement about this access list is true?

This access list does not work without 6to4 NAT

IPv6 to IPv4 traffic permitted on the Cisco ASA by default

This access list is valid and works without additional configuration

This access list is not valid and does not work at all

We can pass only IPv6 to IPv6 and IPv4 to IPv4 traffic

Answer: A Explanation:

ASA 9.0(1) code introduced the Unified ACL for IPv4 and IPv6. ACLs now support IPv4 and IPv6 addresses. You can even specify a mix of IPv4 and IPv6 addresses for the source and destination. The any keyword was changed to represent IPv4 and IPv6 traffic. The any4 and any6 keywords were added to represent IPv4-only and IPv6-only traffic, respectively. The IPv6-specific ACLs are deprecated. Existing IPv6 ACLs are migrated to extended ACLs.